Wednesday, 29 October 2014

Snort on Ubuntu 14.04 from Sourcecode with Barnyard, SnortReport, Acid

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP net-works. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks  and  probes,  such  as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has three primary uses.  It can be used as a straight packet sniffer like tcpdump , a packet logger  , or as a full blown network intrusion detection/prevention system system. 

Main features introduced in 2.9.6-2.9.7:

·         Added additional support for Heartbleed detection within the SSL preprocessor to improve performance.

·         A new protected_content rule option that is used to match against a content that is hashed.  It can be used to obscure the full context of the rule from the administrator.

·         Protocol Aware Flushing (PAF) improvements for SMTP, POP, and IMAP to more accurately process different portions of email messages and file attachments.

·         Added ability to test normalization behavior without modifying network traffic.  When configured using na_policy_mode:inline-test, statistics will be gathered on packet normalizations that would have occurred, allowing less disruptive testing of inline deployments.

·         Added improved XFF support to HttpInspect. It is now possible to specify custom HTTP headers to use in place of 'X-Forwarded-For'. In situations where traffic may contain multiple XFF-like headers, it is possible to specify which headers hold precedence.

·         The HTTP Inspection preprocessor now has the ability to decompress DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF content from http responses when configured with the new decompress_swf and decompress_pdf options. This enhancement can be used with existing rule options that already match against decompressed equivalents. Feature rich IPS mode including improvements to Stream for inline deployments. Additionally a common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.

·         Use of a Data Acquisition API (DAQ) that supports many different packet access methods including libpcap, netfilterq, IPFW, and afpacket. For libpcap, version 1.0 or higher is now required. The DAQ library can be updated independently from Snort and is a separate module that Snort links. See README.daq for details on using Snort and the new DAQ.

·         Updates to HTTP Inspect to extract and log IP addresses from X-Forward-For and True-Client-IP header fields when Snort generates events on HTTP traffic.

·         A new rule option ‘byte_extract’ that allows extracted values to be used in subsequent rule options for isdataat, byte_test, byte_jump, and content distance/within/depth/offset.

·         Updates to SMTP preprocessor to support MIME attachment decoding across multiple packets.

·          Ability to “test” drop rules using Inline Test Mode. Snort will indicate a packet would have been dropped in the unified2 or console event log if policy mode was set to inline.

·          Two new rule options to support base64 decoding of certain pieces of data and inspection of the base64 data via subsequent rule options.

·          Updates to the Snort packet decoders for IPv6 for improvements to anomaly detection.

 In the latest version of snort some things about compiling  have slightly changed, the libdnet and the Data AcQuisition library (DAQ) needs to be be compiled separately. This post realtes only to compileation and installation of Snort 2.9.x.x from  source code.

LAMP (Linux, Apache, MySQL and PHP) environment:

Installing Apache, PHP and MySQL: 

 

$sudo apt-get -y install apache2 libapache2-mod-php5 mysql-server mysql-common mysql-client php5-mysql libmysqlclient-dev php5-gd php-pear libphp-adodb php5-cli 

 

Get required packages:

 

$ sudo apt-get -y install libwww-perl libnet1 libnet1-dev libpcre3 libpcre3-dev autoconf libcrypt-ssleay-perl libtool libssl-dev build-essential automake gcc make flex bison

 

 

 

 Download and Install libdnet:

There are Ubuntu packages for libdnet but this, I find, an easier way of installing. Download the following file and install it with these commands from your download directory:

$ sudo mkdir /usr/local/snort

$cd /usr/local/snort

$ sudo wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz

$ sudo tar xzvf libdnet-1.12.tgz

$ cd libdnet-1.12/

$sudo ./configure

$sudo  make

$sudo make install

$sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

 

 

 Installing and Downloading Data Acquisition API (DAQ): 

Snort 2.9.0 introduces the new Data Acquisition API. We’ll need to download and install it before we set up the core Snort package. Download that package to your Snort machine:

If you need to access the /usr/local/snort via the GUI for copying of files, then go to root and type in:

 

$ gksudo nautilus

This should give a view of the root folders.  Install the package using the following commands: 

$cd /usr/local/snort

$ sudo tar zxvf daq-2.0.4.tar.gz

$cd daq-2.0.4

$ sudo ./configure

$ sudo make

$sudo make install

 Download and Install libpcap:

 $cd /usr/local/snort

 $ sudo wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz

$ sudo tar zxvf libpcap-1.3.0.tar.gz

$cd libpcap-1.3.0

$ sudo ./configure

$sudo make

$sudo make install

$echo “/usr/local/lib” >> /etc/ld.so.conf

$ldconfig -v 

Download and Install Snort: 

While we could install the Snort packages from the Ubuntu 14.04 repositories, that doesn’t guarantee the latest and greatest version of Snort being set up so we compile and install the source code. Go to  http://www.snort.org/snort-downloads and download the newest stable version.

The following steps will install Snort into /usr/local/snort but you can change this to a directory of your liking by modifying the paths below. 

Open a command prompt and issue the following commands from the directory where you downloaded the Snort 

$ sudo tar zxf snort-2.9.6.1.tar.gz

$cd snort-2.9.6.1

$ sudo ./configure –prefix=/usr/local/snort –enable-sourcefire

$ sudo make

$ sudo make install

$ sudo mkdir /var/log/snort

$ sudo mkdir /var/snort

$ sudo groupadd snort

$ sudo useradd -g snort snort

$ sudo chown snort:snort /var/log/snort

Download the Latest Snort Rules: 

The next step is to download the latest Snort ruleset. You’ll need to log into the Sourcefire site in a browser in order to get the file. The latest rules are located here: https://www.snort.org/snort-rules

There are two sections on this page – one for VRT subscribers and one for registered users. The only difference is that the registered user rule files are 30 days older than those for subscribers.

Download this file to your IDS machine: snortrules-snapshot-2960.tar.gz. 

Open a command prompt in the directory where you downloaded the Snort ruleset file and issue the following commands: 

$ sudo tar zxf snortrules-snapshot-2960.tar.gz -C /usr/local/snort

$ sudo mkdir /usr/local/snort/lib/snort_dynamicrules

$ sudo cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-4/x86-64/2.9.5.3/* /usr/local/snort/lib/snort_dynamicrules

$ sudo touch /usr/local/snort/rules/white_list.rules

$ sudo touch /usr/local/snort/rules/black_list.rules

$ldconfig -v

Now we need to edit the snort.conf configuration file:

 $ sudo vi /usr/local/snort/etc/snort.conf

 var WHITE_LIST_PATH /usr/local/snort/rules

var BLACK_LIST_PATH /usr/local/snort/rules 

dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/

dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so

dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules 

$output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types output unified2: filename snort.u2, limit 128

:wq!

 Download and Install Barnyard2: 

Barnyard2 improves the efficiency of Snort by reducing the load on the main detection engine. It reads Snort’s unified logging output files and enters them into a database. If the database is unavailable Barnyard will input all data when the database comes back online so no alerts will be lost. 

$ sudo git clone  http://github.com/firnsy/barnyard2.git barnyard 

$cd barnyard2

$ sudo autoreconf -fvi -I ./m4

$ sudo ./configure –with-mysql –with-mysql-libraries=/usr/lib/x86_64-linux-gnu

$ sudo make

$ sudo make install

$ sudo cp etc/barnyard2.conf /usr/local/snort/etc

$ sudo mkdir /var/log/barnyard2

$ sudo chmod 666 /var/log/barnyard2

$ sudo touch /var/log/snort/barnyard2.waldo

$ sudo chown snort.snort /var/log/snort/barnyard2.waldo 

We need to create the MySQL database and the database schema. Tis will need the MySQL password that was created earlier: 

$echo “create database snort;” | mysql -u root -p 

$ sudo mysql -u root -p -D snort < ./schemas/create_mysql 

Next create an additional MySQL user for Snort to use as it’s not a good idea to run the daemon as root. Remember the password that you enter below. Also please note the single quotes around the password in addition to the double quotes around the entire echo statement: 

$echo “grant create, insert, select, delete, update on snort.* to snort@localhost identified by ‘bhuvi'” | mysql -u root -p 

Modify the Barnyard2 configuration file with the following command: 

$vi /usr/local/snort/etc/barnyard2.conf 

config  reference_file: /usr/local/snort/etc/reference.config

config  classification_file: /usr/local/snort/etc/classification.config

config  gen_file: /usr/local/snort/etc/gen-msg.map

config  sid_file: /usr/local/snort/etc/sid-msg.map

config hostname: localhost

config interface: eth0

output database: log, mysql,

 Testing Snort:

 You can test to see if Snort will run by using this command: 

$ sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0

A message saying “Commencing packet processing.” should be visible. You can cancel it by hitting Control-C. If it fails to initialize please see the forums at snort.org to determine the problem. It will usually be something in the configuration file. 

To set Snort to start automatically on your machine edit the rc.local file with the following command:

 $sudo vi /etc/rc.local

ifconfig eth0 up

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D

:wq!

 Save the file and exit. Then either reboot or use the following command to start Snort:

 $sudo /etc/init.d/rc.local start

 Monitoring

Download and Set up Snort Report: The next step is to download and configure Snort Report. It’s available at http://www.symmetrixtech.com under the downloads section.

 

 At the time of authoring this the current version was 1.3.4. Download snortreport-1.3.4.tar.gz to a directory on your IDS machine.Open a command prompt in the directory to which you downloaded Snort Report and issue the following 

$sudo tar zxvf snortreport-1.3.4.tar.gz -C /var/www/html 

Now we need to modify the Snort Report configuration file to reflect your MySQL login info and location of the jpgraph libraries. Change the file by editing srconf.php with this command: 

$sudo vi /var/www/snortreport-1.3.4/srconf.php

$pass = “bhuvi”;

 

Install JPGraph:

 

 

$cd /var/www/html

$sudo wget  http://jpgraph.net/download/download.php?p=5

$sudo tar xvzf jpgraph-3.5.0b1.tar.gz

$sudo rm -rf jpgraph-3.5.0b1.tar.gz

 Installing ADODB: 

$cd /var/www/html

$sudo wget  http://kaz.dl.sourceforge.net/project/adodb/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz

$sudo tar xzf adodb518a.tgz

$sudo rm adodb518a.tgz

 Installing and configuring Acid: 

$cd /var/www/html

$sudo wget  http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz

$sudo tar xzf acid-0.9.6b23.tar.gz

$sudo rm acid-0.9.6b23.tar.gz

 

$sudo vi /var/www/html/acid/acid_conf.php 

$DBlib_path = “/var/www/html/adodb518a”; 

$alert_dbname = “snort”;

$alert_host = “localhost”;

$alert_port = “”;

$alert_user = “snort”;

$alert_password = “bhuvi”;

$archive_dbname = “snort”;

$archive_host = “localhost”;

$archive_port = “”;

$archive_user = “snort”;

$archive_password = “bhuvi”;

 $ChartLib_path = “/var/www/html/jpgraph-3.5.0b1/src”;

 :wq!

Start Apache then go to http://yourhost/acid/acid_main.php . You will get a message that looks like this in your browser:

 

 Please Click the button that says “Create Acid AG” 

 Now browse to acid main page , it will show record details of snort…we are done!

 

 

No comments:

Breakfast At Serengeti

Breakfast At Serengeti
Lion's Share

The Ngorongoro Family

The Ngorongoro Family
Click on the Picture Above To Make It Larger

Tabloid Time: The Aliens Are a'Landing ?!.. ;-)

At the risk of being ridiculed and being labelled a freak, I shall like to draw everyone's attention to the following recent events....If you watch the videos then turn on the sound for the commentary...



Fireball across Ausin, Texas (16th Feb 2009). According to BBC, apparently, its NOT debris from a recent satellite collision...:
http://news.bbc.co.uk/1/hi/world/7891912.stm
http://us.cnn.com/2009/US/02/15/texas.sky.debris/index.html

Same in Idaho in recent times. NO meteor remains found yet: http://news.bbc.co.uk/1/hi/sci/tech/7744585.stm

Exactly same in Sweden: http://news.bbc.co.uk/1/hi/world/europe/7836656.stm?lss

This was recorded on 25th Feb 2007 in Dakota, US:
http://www.youtube.com/watch?v=cVEsL584kGw&feature=related

This year has seen three of the spookiest UFO videos surface, with people in India, Mexico and even in space, NASA, spotting things they couldn't explain: http://www.youtube.com/watch?v=7WYRyuL4Z5I&feature=related

CHECK out this one on 24th Januray, 2009 in Argentina close to Buenos Aires:
You tube: www.youtube.com/
Press:
Press Coverage

AND Lastly, and more importantly, from Buzz Aldrin on Apollo 11 : http://www.youtube.com/watch?v=XlkV1ybBnHI

Heh?! Don't know how authentic these news are... don't even know if these are UFO's or meteors or ball lightning or something else. But, if meteors, then where are the meteorites ? However, I see no reason why life cannot exist in other planets and why they could not be sneaking around here :-) . I for one, have long suspected some of my relations to be space aliens or at least X-people from X-files :-)

I am waiting for a job on an Alien spaceship myself. :-)


Giraffes in Parallel Universe

Giraffes in Parallel Universe
At Lake Manyara

Serengeti Shall Never Die

Serengeti Shall Never Die
Wildebeeste Calf starts running only 5 min. after being born. CLICK on the pitcture to view Slideshow